Privacy on Facebook: Beacon and Beyond

INTRODUCTION

Privacy on Facebook: Beacon and Beyond

INTRODUCTION

Line: 36 to 36

As noted above, Facebook has continued to aggregate data on users’ outside-Facebook activities. New developments suggest this will only continue, possibly on an even larger scale. Facebook has developed a feature called Lookalike, which targets users based on demographic similarity. Additionally, there is the looming menace of CISPA, which may allow the government to access user information (which for now is subject to Facebook’s sieve-like privacy-policy). The Beacon settlement should have created a more dynamic organization as part of the settlement. The Digital Trust Foundation has not popped up yet, but we should keep an eye out for when it does, and examine what it actually achieves in terms of digital privacy.

Added:

>>

Why not be brief about
it, and say that Facebook was permitted to spend $6m on a tax-free
lobbying operation run by their own chief lobbyist? Why not say
that this means nothing whatever; Facebook spent more money on PR
over Beacon, going in and coming out, than all of this money many
times over? Given that there's no here here, why are you writing
about it? In other words, you need to explain to the reader why the
meaninglessness of this nonevent has some larger significance than
its nothingness.

On February 26th, the 9th Circuit denied petitions for rehearing and petitions for rehearing en banc of the $9.5 million settlement approved by the district court in Lane v. Facebook, Inc.. The settlement pertained to Beacon, which was controversially part of Facebook’s advertisement system from November 2007 to September 2009. The 9th Circuit’s refusal to review the settlement means that Facebook members, contrary to the goal of class action lawsuits, are left in no better position after the settlement than before, due to the cy pres award to a charity Facebook is ordered to found.

>>

Privacy on Facebook: Beacon and Beyond

INTRODUCTION

Deleted:

<<

FACTS

Changed:

<<

“Beacon” was launched in November 2007. It was meant to allow “members to share with friends information about what they do elsewhere on the Internet.” Lane v. Facebook, Inc., 696 F.3d 811, 816 (9th Cir. 2012). In short, it sent data from external websites to Facebook, which allowed for targeted advertising and publishing of external activities on members’ personal profiles. Companies such as Overstock.com, Blockbuster, and Bluefly contracted with Facebook to participate in the Beacon program.

>>

On February 26th, the 9th Circuit denied petitions for rehearing of the $9.5 million class-action settlement approved by the district court in Lane v. Facebook, Inc. The settlement pertained to Beacon, a controversial part of Facebook’s advertisement system that gathered and published information about Facebook users’ online transactions. The settlement included a cy pres award to a charity that Facebook is ordered to found.

Changed:

<<

The program was not opt-in; it never required the Facebook members to give affirmative consent in order to participate. Many members complained about a violation to their privacy. While one could “opt-out” of the Beacon program, in order to do so the member had to understand Facebook’s privacy controls, but also those of third party Beacon participantshttp://docs.justia.com/cases/federal/district-courts/california/candce/5:2008cv03845/206085/1/. Further, there was no option to turn off the program altogether. A Computer Associates security researcher found that Beacon reported back to Facebook about a member’s activities on third party participant sites, even if users were logged off Facebook and opted out of Beacon. There were many complaints by Facebook users about Beacon – within ten days, more than 50,000 Facebook members signed a petition objecting to the program. The Beacon program remained turned on by default until December 2007, when, in response to negative press and negative responses by Facebook members, Facebook instituted new privacy controls. Ultimately Beacon was taken down altogether in 2009, as a condition of the class action settlement.

>>

Facebook doesn’t appear to be humbled by the settlement; it has recently partnered with several data-mining companies to further target ads for users. It is uncertain as of yet how efficiently Facebook will target consumers, and how users will react to the amount of knowledge Facebook has of their non-Facebook activity.

Deleted:

<<

As a result of the settlement, the plaintiff’s attorneys were paid around $2.5 million; the 19 named plaintiffs on the class action received amounts varying from $1,000 to $15,000; but the remaining $6.5 million was not disbursed to the class, and instead was granted cy pres to fund (and found) a charity called the Digital Trust Foundation. The Foundation will directed by a three-person board, including Facebook’s director of public policy, Tim Sparapani. The Foundation made a written commitment to “fund and sponsor programs designed to educate users, regulators[,] and enterprises regarding critical issues relating to protection of identity and personal information online through user control, and the protection of users from online threats.” In short, the Foundation, created by Facebook’s money, which has a Facebook officer as a member of its three-person board, would do no work to remedy Internet companies’ unauthorized disclosure of private information and invasion of privacy. Rather, its goal will be to educate users and to shift the onus of responsibility for invasion of privacy to the person who had their private information disseminated.

Changed:

<<

JUDGE MILAN SMITH’S DISSENT

>>

SUMMARY OF BEACON ISSUE

Changed:

<<

The cy pres settlement drew criticism and challenges, including from the Electronic Privacy Information Center. “[T]he term ‘cy pres’ derives from the Norman French expression cy pres comme possible, which means ‘as near as possible,’” and arose as a rule of construction to save a testamentary charitable gift that would otherwise fail, allowing the next best use of the funds. Democratic Cent. Comm. v. Washington Metro. Area Transit Comm’n, 84 F.3d 451, 455 n.1 (D.C. Cir. 1996). Upon the 9th Circuit’s denial of rehearing en banc, Judge M. Smith, joined by Judges Kozinski, O’Scannlain, Bybee, Bea, and Ikuta, dissented on the grounds that the cy pres award (1) was neither reasonably certain to benefit the class, (2) nor advanced the objectives of the statutes relied upon in bringing suit.

>>

“Beacon,” launched November 2007, was meant to allow Facebook users to share what they did elsewhere on the Internet with their friends. The program sent records of transactions from external partner websites, such as Overstock.com or Blockbuster, to Facebook, which then published these transactions on personal profiles; Facebook also used the data to target advertising to users. Facebook members participated in the program by default. While users could opt-out of having the transaction appear on their profile, a researcher discovered there was no way to turn off the program altogether (i.e. Facebook would continue to gather data on user transactions). Further, the partner websites were sending Facebook information on customers who were not Facebook users.

Changed:

<<

As Judge Smith noted, the Digital Trust Foundation has no record of service in remedying the types of wrongs alleged by class action plaintiffs, because the Foundation is going to be created as a part of the settlement. As such, it has no history whatsoever. Arguably, having a organization specifically created to address the types of wrongs alleged by plaintiffs could be an appropriate remedy, as long as the funds granted by the settlement would be definitely and narrowly used for the benefit of class members. However, “[[http://cdn.ca9.uscourts.gov/datastore/opinions/2013/02/26/10-16380.pdf][[f]ashioning an open-ended, one-sentence mission statement]] . . . completely eviscerate[s] the meaning of [the 9th Circuit’s] previously controlling case law” on cy pres. The Foundation’s written commitment is to fund and sponsor “programs” to “educate users” on “critical issues” relating to Internet privacy—very general terms.

>>

The Beacon program remained on by default until December 2007, until negative press and user response forced Facebook to change privacy settings. Ultimately Beacon was taken down in 2009, as a condition of the class-action settlement.

Changed:

<<

Ninth Circuit precedent requires that charities spend cy pres funds to advance “objectives of the underlying statutes.” Nachshin v. AOL, LLC, 663 F.3d 1034, 1036 (9th Cir. 2011). However, in this case, all but one of the underlying statutes under which class action plaintiffs brought their cases—the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Video Privacy Protection Act, and the California Computer Crime Law (exception is the California Consumer Legal Remedies Act)—are meant to prevent the unauthorized access or disclosure of private information. Given that Facebook already has possession of all of member information, it seems rather pointless to have a charity that will focus on teaching users on how to protect themselves “through user control” and from “online threats.” If cy pres is supposed to mean “as near as possible,” this falls far short of the mark. As Judge Smith pithily notes, the only way the Foundation could teach Facebook users to protect themselves from Facebook is if it “teaches Facebook users not to use Facebook. That seems unlikely.” And indeed, this seems even more unlikely given Facebook’s presence on the board.

>>

POST-BEACON

Changed:

<<

CONCLUSION

>>

Despite the settlement, Facebook continues to gather information about its users’ activities outside Facebook. FIRST, in late February, Facebook announced partnerships with several companies, including Acxiom, Datalogix, and Epsilon. These companies collect information on consumer spending habits based on data from financial-services companies, court records, and federal government documents; in short, even MORE personal information than collected through Beacon (because the information isn’t limited to participating websites). This allows advertisers to target specific segments of the population. SECOND, companies can provide Facebook with customer email addresses, which Facebook would, in encrypted form, match with profiles. This allows companies to advertise to their existing customer base. Users can opt-out of receiving these advertisements through Facebook and each third party partner, which is an arduous process. In reality, consumers can only escape this targeted advertising through blocking Web trackers and being mindful of sharing email addresses.

Changed:

<<

As it stands, the cy pres award has been diverted away from plaintiffs into a cause that doesn’t seem like it is designed to redress the wrongs done to the class. As such, it doesn’t benefit the class, and the 9th Circuit should have chosen to rehear the settlement for plaintiffs’ true benefit.

>>

As the NY Times notes, “whether Facebook users will enjoy seeing ‘relevant’ ads or be alienated by more intensive tracking remains to be seen.” It is important to note that Facebook users generally like Facebook Connect, which allows the user to choose to connect their Facebook identity to external sites.

Added:

>>

Facebook users’ comfort level may depend on how heavy-handed the targeted advertising appears, not unlike the controversy Target faced when it narrowly advertised toward women that it figured out, through its accumulated data, were pregnant. As long as the company’s aggregation of private information merely lead to increased convenience, consumers appear largely unconcerned; concerns increase when the company shares that information with the public, or in some other heavy-handed way reveals how much it knows about its users.

CY PRES

Changed:

<<

<--/commentPlugin-->

>>

Of the Beacon settlement, after paying plaintiffs’ counsel and awarding the named plaintiffs, $6.5 million remained. That amount, instead of being disbursed to the class, was granted cy pres (a rule of construction to save a charitable gift that would otherwise fail, by allowing the next best use of the funds) to found a charity called the Digital Trust Foundation. The Foundation’s [[ http://www.mediapost.com/publications/article/183468/divided-court-oks-facebooks-privacy-foundation.html#axzz2MW8jkAbZ][three-person board]] will include Facebook’s director of public-policy, Tim Sparapani. The Foundation made a commitment to “fund and sponsor programs designed to educate users, regulators[,] and enterprises regarding critical issues relating to protection of identity and personal information online through user control, and the protection of users from online threats.” Lane v. Facebook, Inc., 696 F.3d 811, 822 (9th Cir. 2012). In short, the Foundation would not work to remedy Internet companies’ unauthorized disclosure of private information, but to put the onus of responsibility for invasion of privacy onto individuals.
The settlement drew criticism and challenges. Upon the 9th Circuit’s denial of rehearing en banc, Judge Smith, joined by five other judges, dissented on grounds that the cy pres award (1) was neither reasonably certain to benefit the class, (2) nor advanced the objectives of the statutes relied upon in bringing suit.
FIRST, it is not “reasonably certain” that the settlement would benefit the class, as the mission statement of the Foundation is to sponsor “programs” to “educate users” on “critical issues” relating to Internet privacy. Such an “open-ended, one-sentence mission statement . . . completely eviscerate[s] the meaning of [the 9th Circuit’s] previously controlling case law” on cy pres.
SECOND, the statutes under which class-action plaintiffs brought their case are meant to prevent unauthorized access or disclosure of private information. Given that Facebook already possesses all member information, it seems pointless to have a charity to teach users how to protect themselves “through user control” from “online threats.” While cy pres means “as near as possible,” this falls far short of the mark. As Judge Smith notes, the only way the Foundation could teach Facebook users to protect themselves from Facebook is if it “teaches Facebook users not to use Facebook. That seems unlikely.”

CONCLUSION

As noted above, Facebook has continued to aggregate data on users’ outside-Facebook activities. New developments suggest this will only continue, possibly on an even larger scale. Facebook has developed a feature called Lookalike, which targets users based on demographic similarity. Additionally, there is the looming menace of CISPA, which may allow the government to access user information (which for now is subject to Facebook’s sieve-like privacy-policy). The Beacon settlement should have created a more dynamic organization as part of the settlement. The Digital Trust Foundation has not popped up yet, but we should keep an eye out for when it does, and examine what it actually achieves in terms of digital privacy.

On February 26th, the 9th Circuit denied petitions for rehearing and petitions for rehearing en banc of the $9.5 million settlement approved by the district court in Lane v. Facebook, Inc.. The settlement pertained to Beacon, which was controversially part of Facebook’s advertisement system from November 2007 to September 2009. The 9th Circuit’s refusal to review the settlement means that Facebook members, contrary to the goal of class action lawsuits, are left in no better position after the settlement than before, due to the cy pres award to a charity Facebook is ordered to found.

On February 26th, the 9th Circuit denied petitions for rehearing and petitions for rehearing en banc of the $9.5 million settlement approved by the district court in Lane v. Facebook, Inc.. The settlement pertained to Beacon, which was controversially part of Facebook’s advertisement system from November 2007 to September 2009. The 9th Circuit’s refusal to review the settlement means that Facebook members, contrary to the goal of class action lawsuits, are left in no better position after the settlement than before, due to the cy pres award to a charity Facebook is ordered to found.

FACTS

“Beacon” was launched in November 2007. It was meant to allow “members to share with friends information about what they do elsewhere on the Internet.” Lane v. Facebook, Inc., 696 F.3d 811, 816 (9th Cir. 2012). In short, it sent data from external websites to Facebook, which allowed for targeted advertising and publishing of external activities on members’ personal profiles. Companies such as Overstock.com, Blockbuster, and Bluefly contracted with Facebook to participate in the Beacon program.

The program was not opt-in; it never required the Facebook members to give affirmative consent in order to participate. Many members complained about a violation to their privacy. While one could “opt-out” of the Beacon program, in order to do so the member had to understand Facebook’s privacy controls, but also those of third party Beacon participantshttp://docs.justia.com/cases/federal/district-courts/california/candce/5:2008cv03845/206085/1/. Further, there was no option to turn off the program altogether. A Computer Associates security researcher found that Beacon reported back to Facebook about a member’s activities on third party participant sites, even if users were logged off Facebook and opted out of Beacon. There were many complaints by Facebook users about Beacon – within ten days, more than 50,000 Facebook members signed a petition objecting to the program. The Beacon program remained turned on by default until December 2007, when, in response to negative press and negative responses by Facebook members, Facebook instituted new privacy controls. Ultimately Beacon was taken down altogether in 2009, as a condition of the class action settlement.

As a result of the settlement, the plaintiff’s attorneys were paid around $2.5 million; the 19 named plaintiffs on the class action received amounts varying from $1,000 to $15,000; but the remaining $6.5 million was not disbursed to the class, and instead was granted cy pres to fund (and found) a charity called the Digital Trust Foundation. The Foundation will directed by a three-person board, including Facebook’s director of public policy, Tim Sparapani. The Foundation made a written commitment to “fund and sponsor programs designed to educate users, regulators[,] and enterprises regarding critical issues relating to protection of identity and personal information online through user control, and the protection of users from online threats.” In short, the Foundation, created by Facebook’s money, which has a Facebook officer as a member of its three-person board, would do no work to remedy Internet companies’ unauthorized disclosure of private information and invasion of privacy. Rather, its goal will be to educate users and to shift the onus of responsibility for invasion of privacy to the person who had their private information disseminated.

JUDGE MILAN SMITH’S DISSENT

The cy pres settlement drew criticism and challenges, including from the Electronic Privacy Information Center. “[T]he term ‘cy pres’ derives from the Norman French expression cy pres comme possible, which means ‘as near as possible,’” and arose as a rule of construction to save a testamentary charitable gift that would otherwise fail, allowing the next best use of the funds. Democratic Cent. Comm. v. Washington Metro. Area Transit Comm’n, 84 F.3d 451, 455 n.1 (D.C. Cir. 1996). Upon the 9th Circuit’s denial of rehearing en banc, Judge M. Smith, joined by Judges Kozinski, O’Scannlain, Bybee, Bea, and Ikuta, dissented on the grounds that the cy pres award (1) was neither reasonably certain to benefit the class, (2) nor advanced the objectives of the statutes relied upon in bringing suit.

As Judge Smith noted, the Digital Trust Foundation has no record of service in remedying the types of wrongs alleged by class action plaintiffs, because the Foundation is going to be created as a part of the settlement. As such, it has no history whatsoever. Arguably, having a organization specifically created to address the types of wrongs alleged by plaintiffs could be an appropriate remedy, as long as the funds granted by the settlement would be definitely and narrowly used for the benefit of class members. However, “[[http://cdn.ca9.uscourts.gov/datastore/opinions/2013/02/26/10-16380.pdf][[f]ashioning an open-ended, one-sentence mission statement]] . . . completely eviscerate[s] the meaning of [the 9th Circuit’s] previously controlling case law” on cy pres. The Foundation’s written commitment is to fund and sponsor “programs” to “educate users” on “critical issues” relating to Internet privacy—very general terms.

Ninth Circuit precedent requires that charities spend cy pres funds to advance “objectives of the underlying statutes.” Nachshin v. AOL, LLC, 663 F.3d 1034, 1036 (9th Cir. 2011). However, in this case, all but one of the underlying statutes under which class action plaintiffs brought their cases—the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Video Privacy Protection Act, and the California Computer Crime Law (exception is the California Consumer Legal Remedies Act)—are meant to prevent the unauthorized access or disclosure of private information. Given that Facebook already has possession of all of member information, it seems rather pointless to have a charity that will focus on teaching users on how to protect themselves “through user control” and from “online threats.” If cy pres is supposed to mean “as near as possible,” this falls far short of the mark. As Judge Smith pithily notes, the only way the Foundation could teach Facebook users to protect themselves from Facebook is if it “teaches Facebook users not to use Facebook. That seems unlikely.” And indeed, this seems even more unlikely given Facebook’s presence on the board.

CONCLUSION

As it stands, the cy pres award has been diverted away from plaintiffs into a cause that doesn’t seem like it is designed to redress the wrongs done to the class. As such, it doesn’t benefit the class, and the 9th Circuit should have chosen to rehear the settlement for plaintiffs’ true benefit.

This site is powered by the TWiki collaboration platform. All material on this collaboration platform is the property of the contributing authors. All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.